b'NATIONAL CREDIT UNION ADMINISTRATION\n      OFFICE OF INSPECTOR GENERAL\n\n\n\n\n        NCUA WEBSITE PRIVACY\n        AND \xe2\x80\x9cCOOKIES\xe2\x80\x9d REVIEW\n\n         Report #OIG-01-06           May 31, 2001\n\n\n\n\n                        Frank Thomas\n                      Inspector General\n\n\n\n\n             Released by:             Auditor in Charge:\n           William A. DeSarno          Tammy F. Rapp\n      Assistant Inspector General     Senior IT Auditor\n                for Audits\n\x0c                      TABLE OF CONTENTS\n\n\n\n\n                                                                       Page\n\nEXECUTIVE SUMMARY                                                       i\n\nINTRODUCTION                                                            1\n\nBACKGROUND                                                              1\n\nOBJECTIVES                                                              3\n\nSCOPE AND METHODOLOGY                                                   3\n\nOBSERVATIONS AND RECOMMENDATIONS                                        5\n\n     NCUA\xe2\x80\x99s Internet Privacy Statement Substantially Complied with      5\n     OMB Policy\n\n     NCUA is in Compliance with Its Policy Prohibiting the Use of       6\n     Cookies on Its Internet Site\n\n     NCUA does not Create User Profiles, Sell, or Give Away             6\n     Personal Information Obtained via the Web Site or E-mail\n\n     NCUA needs to ensure the privacy policy is posted on all major     7\n     entry points\n\n     NCUA should post a notice informing visitors when they exit the    7\n     NCUA website\n\nEXHIBIT:                                                                8\n\n     NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n     INTERNET PRIVACY POLICY STATEMENT\n\x0c                        EXECUTIVE SUMMARY\n\nPublic Law 106-554 required Inspectors General to submit a report to Congress\nrelating to the collection of personally identifiable information. In addition, the\nNational Credit Union Administration (NCUA) Office of Inspector General (OIG)\ntook this opportunity to review NCUA\xe2\x80\x99s compliance with Office of Management\nand Budget Memoranda M-99-18 and M-00-13, which requires agencies to post\nInternet privacy policies, and generally prohibits the use of persistent cookies on\nagency web sites.\n\nThe OIG found that NCUA\xe2\x80\x99s Internet Privacy Statement substantially complied\nwith OMB policy. The OIG also determined NCUA was in compliance with its\npolicy prohibiting the use of cookies on its Internet site. NCUA collects limited\npersonal information through its web site and does not create any user profiles,\nor sell any personal information that is obtained via the web site.\n\nThe OIG review focused on the collection of personal information through\nelectronic submission of data and the use of cookies on NCUA\xe2\x80\x99s external Internet\nsite. The review included inq uiry of personnel, document review and analysis.\nThe OIG also tested 384 pages on NCUA\xe2\x80\x99s web site to determine if cookies were\nplaced on visitor\xe2\x80\x99s computers.\n\nThe OIG offered two recommendations for improving web site policy notification.\nNCUA has agreed to complete action on the report\xe2\x80\x99s recommendations by June\n29, 2001.\n\n\n\n\n                                         i\n\x0c                                      INTRODUCTION\n\nThe \xe2\x80\x9cTreasury and General Government Appropriations Act, 2001\xe2\x80\x9d Public Law\n106-554 \xe2\x80\x93 Appendix C, 114 Stat. 2763A-170 (\xe2\x80\x9cP.L. 106-554\xe2\x80\x9d), requires\nInspectors General (IG) to submit a report to Congress relating to the collection\nof personally identifiable information. In addition to this requirement to report on\nthe collection of personal information, the National Credit Union Administration\n(NCUA) Office of Inspector General (OIG) took this opportunity to review NCUA\xe2\x80\x99s\ncompliance with Office of Management and Budget (OMB) Memoranda M-99-18\nand M-00-13, which requires agencies to post Internet privacy policies, and\ngenerally prohibits the use of persistent cookies.\n\n\n                                       BACKGROUND\n\nThe public has great concern about their privacy protection. Of recent interest,\nthe public has been concerned with organizations using Internet cookies to\nobtain personal information and/or use that information to track personal habits.\nAs a result of this concern, Congress passed legislation to protect the public\xe2\x80\x99s\nprivacy when surfing federal web sites.\n\n\n\nA cookie is a small text file placed on a visitor\xe2\x80\x99s computer by a web server.\nWhen a visitor goes to a cookie enabled web site, the server sends a small text\nfile to the user without the user taking any action (and generally without the\nuser\xe2\x80\x99s knowledge). This file can be used to track a visitor when they return to the\nweb site. With the exception of the user\xe2\x80\x99s IP address 1, type of browser, and\noperating system, only information the visitor provides can be stored in a cookie.\n\nAllowing a web site to create a cookie does not give that or any other site access\nto the rest of your computer, and only the site that created the cookie can read it.\nCookies are frequently used by Internet shopping sites to keep account\ninformation and personal preferences, such as user id, password, and items\nplaced in a shopping cart. The most controversial use of cookies is the collection\nof demographics, browsing, and/or shopping habits by advertising companies.\n\nThere are different types of cookies. Session cookies are stored temporarily on a\nvisitor\xe2\x80\x99s computer and expire when they close the browser. Since the cookie is\ntemporary, it cannot be used to track a visitor and therefore there are fewer\nconcerns about privacy with session cookies. Persistent cookies are\n\n1\n IP address is a unique string of numbers that identifies a computer on the Internet. Although this could be\nused as a personal identifier, most large organizations use one IP number through a proxy server, and most\nhome users are assigned a dynamic address by their Internet service provider. It is usually difficult or\nimpossible to associate an IP address with a person.\n\n\n\n                                                     1\n\x0cpermanently stored on the visitor\xe2\x80\x99s computer until the cookie expiration date, and\neach time the visitor returns to the subject web site, the cookie informs the server\nthat this particular visitor has returned.\n\n\n\nSection 646 of P.L. 106-554, enacted on December 21, 2000 requires that \xe2\x80\x9cthe\nInspector General of each department or agency shall submit to Congress a\nreport that discloses any activity of the applicable department or agency relating\nto \xe2\x80\x93\n    1. the collection or review of singular data, or the creation of aggregate lists\n       that include personally identifiable information, about individuals who\n       access any Internet site of the department or agency; and\n    2. entering into agreements with third parties, including other government\n       agencies, to collect, review, or obtain aggregate lists or singular data\n       containing personally identifiable information relating to any individual\xe2\x80\x99s\n       access or viewing habits for governmental and nongovernmental Internet\n       sites.\xe2\x80\x9d\n\n\nOMB Memorandum M-00-13 reminds agencies to establish clear privacy policies\nfor its web activities and to comply with those activities. This memo prohibits the\nuse of \xe2\x80\x9ccookies\xe2\x80\x9d at Federal web sites unless four conditions are met:\n    \xe2\x80\xa2 The site gives clear and conspicuous notice;\n    \xe2\x80\xa2 There is a compelling need to gather the data on the site;\n    \xe2\x80\xa2 Appropriate and publicly disclosed privacy safeguards exist for handling\n        any information derived from the cookies; and\n    \xe2\x80\xa2 The agency head gives personal approval for the use.\n\nOMB clarified the definition of \xe2\x80\x9ccookies\xe2\x80\x9d in a memo dated September 5, 2000.\nThis memo prohibits the use of persistent cookies unless the above four\nconditions are met. It further states, \xe2\x80\x9cwe are concerned about persistent cookies\neven if they do not themselves contain personally identifiable information.\xe2\x80\x9d\n\nThe September clarification permits the use of session cookies, as follows:\n\xe2\x80\x9cspecifically, they may retain the information only during the session or for the\npurpose of completing a particular online transaction, without any capacity to\ntrack users over time and across different web sites. When used only for a single\nsession or transaction, such information can assist web users in their electronic\ninteractions with government, without threatening their privacy.\xe2\x80\x9d\n\n\nOMB M-99-18 directs agencies \xe2\x80\x9cto post clear privacy policies on World Wide\nWeb sites\xe2\x80\x9d. Specifically, agencies should \xe2\x80\x9cadd privacy policies to any other\nknown, major entry points to your sites as well as at any web page where you\ncollect substantial personal information from the public. Each policy must clearly\n\n\n                                          2\n\x0cand concisely inform visitors to the site what information the agency collects\nabout individuals, why the agency collects it, and how the agency will use it.\nPrivacy policies must be clearly labeled and easily accessed when someone\nvisits a web site.\xe2\x80\x9d\n\nThe attachment to M-99-18 provided guidance and model language for web site\nprivacy policies. \xe2\x80\x9cEvery Federal web site must include a privacy policy\nstatement, even if the site does not collect any information that results in creating\na Privacy Act record. \xe2\x80\x9c The attachment to M-99-18 provides specific examples\nthat may be incorporated in an agency\xe2\x80\x99s web site privacy policy statement.\n\n\n                                OBJECTIVES\nOur objective was to determine whether NCUA was in compliance with the OMB\nand agency policies on the privacy of personal information obtained via the\nagency\xe2\x80\x99s web site and the use of Internet cookies.\n\n\n                    SCOPE and METHODOLOGY\n\nOur review focused on the collection of personal information through electronic\nsubmission of data and the use of cookies on NCUA\xe2\x80\x99s external Internet site. Our\nreview included inquiry of personnel, document review and analysis. We also\ntested NCUA\xe2\x80\x99s web site to determine if cookies were placed on visitor\xe2\x80\x99s\ncomputers.\n\nSpecifically, we performed the following steps:\n   \xe2\x80\xa2 Interviewed the Chief Information Officer and Webmaster\n   \xe2\x80\xa2 Reviewed the following laws and regulations pertaining to website privacy\n       and collection of personal information:\n           o Public Law 106-554, 12/21/2000\n           o OMB Memo, 9/5/2000, clarifying M-00-13\n           o OMB M-00-13, 6/22/2000\n           o OMB M-99-18, 6/2/1999\n   \xe2\x80\xa2 Reviewed NCUA\xe2\x80\x99s Internet Privacy Policy and compared it to guidance\n       issued by OMB\n   \xe2\x80\xa2 Reviewed General Accounting Office (GAO) a nd other IG audit reports.\n\n\n\n\n                                          3\n\x0cIn addition, we tested 384 pages\non NCUA\xe2\x80\x99s web site to determine if\nany cookies were placed on a\nvisitor\xe2\x80\x99s computer. We tested the\nmost commonly accessed pages\nfrom the period between May 12\nand May 19, 2001, as well as most\nof the major categories and offices.\nTo perform the test, we used an\noption in our Internet browser to\nprompt us before a cookie was\ncreated on our computer. We also\ndetermined if any personal\ninformation was requested of the user. As of May 19, 2001, NCUA had 6,111\nunique URL\xe2\x80\x99s2, which included web pages, graphic files, adobe documents, and\nexecutable files.\n\nThe OIG conducted this audit from our office in Alexandria, Virginia, during May\n2001. This review was performed in accordance with generally accepted\ngovernment auditing standards.\n\n\n\n\n2\n    URLs are the Internet equivalent of addresses.\n\n\n\n                                                     4\n\x0c                             OBSERVATIONS\n\n NCUA\xe2\x80\x99S Internet Privacy           NCUA was in substantial compliance with OMB\n Statement Substantially           guidance regarding privacy policies on websites.\n Complied with OMB                 NCUA\xe2\x80\x99s policy was clearly labeled and easily\n Policy                            identified on the home page (see graphic below).\n                                   The policy indicates, \xe2\x80\x9cNCUA does not use\ncookies." It also addresses the collection of personal information from the web\nsite, on-line forms, and e -mail correspondence.\n\n\n\n\n                                        5\n\x0cThe Webmaster prepared the privacy policy statement for posting on the web\nsite. In August 1999, the Office of General Counsel reviewed the draft statement\nprior to posting, and recommended placement of the privacy policy on pages\n\xe2\x80\x9cwhere the NCUA website invites the public to submit comments or otherwise\ncontact us\xe2\x80\x9d. The privacy policy was posted in late August 1999.\n\nOMB M-99-18 requires agencies to post clear privacy policies on major entry\npoints of their websites. The policy should be clearly labeled, easily accessible,\nand include what information is collected, why it is collected, and how the agency\nwill use it.\n\nWe did not observe any web page where substantial personal information was\ncollected on NCUA\xe2\x80\x99s web site. The user in an e-mail request generated the\nprimary source of any personal information. The only exception to compliance\nwith OMB\xe2\x80\x99s policy related to the posting of the Internet privacy policy. We found\nthe privacy policy posted on the home page and a few other selected pages\nthroughout the site, but the privacy policy was not currently posted on all major\nentry points.\n\nWe did not observe any notices prior to leaving the NCUA website and going to\nan external link. Although not required by OMB, it is important to clearly notify\nvisitor\xe2\x80\x99s when exiting the NCUA website that our privacy policy no longer applies\nand the policy of the website they are transferred to applies. For instance, some\nof the links contained on NCUA\xe2\x80\x99s website transferred visitor\xe2\x80\x99s to commercial sites\nthat set persistent cookies.\n\n\n\n NCUA is in Compliance          NCUA clearly states in its policy that, \xe2\x80\x9cNCUA\n with Its Policy Prohibiting    does not use "cookies." We tested 384 pages of\n the Use of Cookies on Its      NCUA\xe2\x80\x99s web site to confirm compliance with the\n Internet Site                  policy and found no indication of cookies. To\n                                test the web site, we used a feature with our\nInternet browser that prompts you when a cookie is present.\n\nOMB M-00-13 and the subsequent clarification memo prohibit the use of\npersistent cookies unless four conditions are met. Session cookies are\npermitted. We did not detect any persistent or session cookies on NCUA\xe2\x80\x99s web\nsite.\n\n\n                                Our review of NCUA\xe2\x80\x99s web site and Internet\n NCUA does not Create\n                                privacy policy confirmed that limited personal\n User Profiles, Sell or Give\n                                information is collected directly from the Internet.\n Away Personal\n                                There were e -mail and other on-line forms where\n Information Obtained via\n                                a visitor may provide personal information, but\n the Web Site or E-mail\n\n\n                                        6\n\x0cthis information is generally limited to name, e-mail address, and other contact\ninformation. NCUA uses the information provided to fulfill visitor requests and\nmake improvements to its web site.\n\nWe reviewed a log from the web server. The web server log shows most\nfrequently used time periods, most commonly accessed web pages, and IP\naddresses. We did not observe any personal information collected via the web\nserver log.\n\nNCUA does not compile any personal information to create user profiles. Any\nlimited personal information obtained is used for performing government\nfunctions. NCUA\xe2\x80\x99s policy states, \xe2\x80\x9cNCUA does not give, sell or transfer personal\ninformation to third parties, unless required by law.\xe2\x80\x9d\n\n\n\n                         RECOMMENDATIONS\n NCUA needs to Ensure            Recommendation #1:\n the Privacy Policy is           NCUA needs to ensure compliance with OMB M-\n Posted on All Major Entry       99-18 by defining major entry points and\n Points                          ensuring the privacy policy is posted at these\n                                 points. Some agencies have defined major entry\npoints as the home page, most frequently accessed pages, web pages where\nsubstantial personal information is collected, or major component. Some have\nused a combination of these criteria to define major entry points.\n\nShould NCUA begin to collect personal information via its web site in the future,\nOMB requires the privacy policy to be posted on pages where substantial\npersonal information is collected, in addition to major entry points.\n\nOCIO stated that it is in the process of defining NCUA\xe2\x80\x99s web site entry points and\nposting the privacy policy at these points by June 29, 2001.\n\n\n NCUA should Post a              Recommendation #2:\n Notice Informing Users          Although not required by current laws and\n when they Exit the NCUA         regulations, NCUA should post a notice\n Website                         informing visitors when they are leaving the\n                                 NCUA web site. This notice should inform\nvisitors that NCUA\xe2\x80\x99s privacy policy does not apply once they leave our site, and\nthat NCUA is not responsible for the content of the external site.\n\nBy June 29, 2001, OCIO has stated that it will identify NCUA\xe2\x80\x99s major website exit\npoints, and post a notice at these points that the user is exiting NCUA\xe2\x80\x99s site and\nthat NCUA\xe2\x80\x99s privacy policy is no longer in effect.\n\n\n                                        7\n\x0c   EXHIBIT:\n   NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n   INTERNET PRIVACY POLICY STATEMENT\n\n\n                    Internet Privacy Policy Statement\n                                    for the\n                     National Credit Union Administration\nThank you for visiting the National Credit Union Administration Web site and reviewing our internet privacy\npolicy.\n\n\nInformation Collected and Stored Automatically\n\nFor site security purposes and to ensure that this service remains available to all users, NCUA employs software\nprograms to monitor network traffic to identify unauthorized attempts to upload or change information, or\notherwise cause damage.\n\nFor site management, information is collected for statistical purposes. Computer software programs are used to\ncreate summary statistics, which are used for such purposes as assessing what information is of most and least\ninterest, determining technical design specifications, and identifying system performance or problem areas. No\npersonal information, such as your name or address, is collected or used for this analysis. We collect no\ninformation which would identify you personally.\n\nWe automatically collect and store only the following information about your visit:\n\n    \xe2\x80\xa2    The Internet domain (for example, "xcompany.com" if you use a private Internet access account, or\n         "yourschool.edu" if you connect from a university\'s domain) and IP address (an IP address is a number\n         that is automatically assigned to your computer whenever you are surfing the Web) from which you\n         access our web site\n    \xe2\x80\xa2    The date and time you access our site\n    \xe2\x80\xa2    The pages you visit and the result of the request, such as an image or query\n    \xe2\x80\xa2    Other status codes and values resulting from the Web server responding to the request received: HTTP\n         status code, Windows NT code, number of bytes sent, number of bytes received, duration (in seconds) to\n         fulfill the request, server port number addressed, and protocol version.\n\n\nNCUA does not use "cookies." (A "cookie" is a file placed on your hard drive by a Web site that allows it to\nmonitor your visit, usually without your knowledge.) You can set your browser to warn you when placement of a\ncookie is requested and decide whether or not to accept it.\n\n\nInformation Collected from E-mails and Web Forms\n\nWhen you send us personally identifying information, for example, in an electronic mail message containing a\nquestion or comment or by filling out a form that E-mails us this information, we use this information to fulfill or\nrespond to your requests. We may store these requests to provide us with information for future improvements to\nour Web site. We may forward your E-mail to other government employees who are better able to respond to your\nrequest. NCUA may also use this information to help us do our work. We do not create individual profiles with the\ninformation you provide. NCUA does not give, sell or transfer personal information to third parties, unless\nrequired by law.\n\n\n\n\n                                                         8\n\x0c'